imx-mkimage: fix u-boot spl authentication vulnerability

This backports the fixes addressing CVE-2023-39902 vulnerability into the imx-mkimage tool. [1] To be used with a U-Boot containing the LFU-573 patches. [1] https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196 LFOPTEE patch is backported to make the two LFU-573 patches apply with less fuzz. Relates-to: ELB-5476 Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
author: Max Krummenacher <max.krummenacher@toradex.com> 2023-12-13 16:19:37 +0100
committer: Max Krummenacher <max.krummenacher@toradex.com> 2023-12-20 16:47:43 +0000
commit: 5e45485bdd561b3b1b46b3550447e2e4c5e53761 (patch)
tree: b6bc50afa1980433a9e14f1b03278bb8ea10883d
parent: 89ee719c06f69a28d8b6c2af5cacf6bd946878b7 (diff)
6 files changed, 470 insertions, 0 deletions
diff --git a/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch b/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch
new file mode 100644
index 0000000..312c1c8
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/files/0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch
@@ -0,0 +1,40 @@
+From 884f7b3e917194ebb3d7e621df9af7ed496a91eb Mon Sep 17 00:00:00 2001
+From: Olivier Masse <olivier.masse@nxp.com>
+Date: Wed, 16 Nov 2022 12:05:50 +0100
+Subject: [PATCH 1/3] LFOPTEE-126: Add spl and sld Blocks info
+
+Dump hab block information used by the signature script.
+To ease the parsing process in meta-secure-boot recipe,
+mkimage_imx8 tool dump spl and sld hab blocks correctly
+formated for csf configuration file.
+
+Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
+
+Upstream-Status: Backport [66cef04afacc104e47fb65ac9879e70e45334c3f]
+Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
+---
+ iMX8M/mkimage_imx8.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c
+index 54828d1..06ab485 100644
+--- a/iMX8M/mkimage_imx8.c
++++ b/iMX8M/mkimage_imx8.c
+@@ -1662,6 +1662,14 @@ int main(int argc, char **argv)
+ 	fprintf(stderr, " sld hab block: \t0x%x 0x%x 0x%x\n",
+ 		sld_load_addr, sld_header_off, sld_csf_off - sld_header_off);
+ 
++	fprintf(stderr, "SPL CSF block:\n");
++	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n",
++		imx_header[IMAGE_IVT_ID].fhdr.self, header_image_off, csf_off - header_image_off);
++
++	fprintf(stderr, "SLD CSF block:\n");
++	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n",
++		sld_load_addr, sld_header_off, sld_csf_off - sld_header_off);
++
+ 	return 0;
+ }
+ 
+-- 
+2.42.0
+
diff --git a/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch b/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch
new file mode 100644
index 0000000..62cac84
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/files/0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch
@@ -0,0 +1,213 @@
+From 15fb16dbb686250bb3b9457d3a158c7d097beb39 Mon Sep 17 00:00:00 2001
+From: Ye Li <ye.li@nxp.com>
+Date: Mon, 3 Jul 2023 17:31:32 +0800
+Subject: [PATCH 2/3] LFU-573-1 imx8m: Generate hash of FIT FDT structure to
+ SPL image
+
+Generate the hash of FIT FDT structure by SHA256 and append it
+to end of SPL image (after DDR FW).
+SPL will get the hash from the position to verify the FIT FDT
+structure in loaded FIT image.
+
+Signed-off-by: Ye Li <ye.li@nxp.com>
+
+Upstream-Status: Backport [2f2d426f03ebbcf7a9c28cf53680cd5777e70ea1]
+Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
+---
+ iMX8M/mkimage_imx8.c | 109 ++++++++++++++++++++++++++++++++++++++++++-
+ iMX8M/soc.mak        |  14 ++++--
+ 2 files changed, 117 insertions(+), 6 deletions(-)
+
+diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c
+index 06ab485..68022d6 100644
+--- a/iMX8M/mkimage_imx8.c
++++ b/iMX8M/mkimage_imx8.c
+@@ -366,6 +366,31 @@ copy_file (int ifd, const char *datafile, int pad, int offset, int datafile_offs
+ 	(void) close (dfd);
+ }
+ 
++static void append_data(char *filename, uint8_t *data, int size)
++{
++	int dfd, ret;
++
++	if ((dfd = open(filename, O_RDWR|O_BINARY)) < 0) {
++		fprintf (stderr, "Can't open %s: %s\n",
++			filename, strerror(errno));
++		exit (EXIT_FAILURE);
++	}
++
++	ret = lseek(dfd, 0, SEEK_END);
++	if (ret < 0) {
++		fprintf(stderr, "%s: lseek error %s\n",
++				__func__, strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++	if (write(dfd, data, size) != size) {
++		fprintf (stderr, "Write error %s\n",
++			strerror(errno));
++		exit (EXIT_FAILURE);
++	}
++	(void) close (dfd);
++}
++
++
+ enum imximage_fld_types {
+ 	CFG_INVALID = -1,
+ 	CFG_COMMAND,
+@@ -861,6 +886,77 @@ void generate_sld_with_ivt(char * input_file, uint32_t ep, char *out_file)
+ 	close(input_fd);
+ }
+ 
++#define HASH_MAX_LEN 32
++static void calc_fitimage_hash(char* filename, uint8_t *hash)
++{
++	int sld_fd;
++	FILE *fp = NULL;
++	char sha_command[512];
++	char *digest_type = "sha256sum";
++	char hash_char[2 * HASH_MAX_LEN + 1];
++	int digest_length = 64;
++
++	uimage_header_t image_header;
++	uint32_t fit_size;
++
++	sld_fd = open(filename, O_RDONLY | O_BINARY);
++	if (sld_fd < 0) {
++		fprintf(stderr, "%s: Can't open: %s\n",
++                            filename, strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	if (read(sld_fd, (char *)&image_header, sizeof(uimage_header_t)) != sizeof(uimage_header_t)) {
++		fprintf (stderr, "generate_ivt_for_fit read failed: %s\n",
++			strerror(errno));
++		exit (EXIT_FAILURE);
++	}
++
++	if (be32_to_cpu(image_header.ih_magic) != FDT_MAGIC){
++		fprintf (stderr, "generate_ivt_for_fit error: not a FIT file\n");
++		exit (EXIT_FAILURE);
++	}
++
++	fit_size = fdt_totalsize(&image_header);
++
++	fprintf(stderr, "fit_size: %u\n", fit_size);
++
++	sprintf(sha_command, "dd if=\'%s\' of=tmp_pad bs=%d count=1;\
++				%s tmp_pad; rm -f tmp_pad;",
++			filename, fit_size, digest_type);
++
++	memset(hash, 0, HASH_MAX_LEN);
++
++	fp = popen(sha_command, "r");
++	if (fp == NULL) {
++		fprintf(stderr, "Failed to run command hash\n" );
++		exit(EXIT_FAILURE);
++	}
++
++	if(fgets(hash_char, digest_length + 1, fp) == NULL) {
++		fprintf(stderr, "Failed to hash file: %s\n", filename);
++		exit(EXIT_FAILURE);
++	}
++
++	for(int i = 0; i < strlen(hash_char)/2; i++){
++		sscanf(hash_char + 2*i, "%02hhx", &hash[i]);
++	}
++
++	pclose(fp);
++	(void) close (sld_fd);
++}
++
++void dump_fit_hash(uint8_t *hash, int size)
++{
++	int i;
++
++	fprintf(stderr, "FIT hash: ");
++	for (i = 0; i < size; i++) {
++		fprintf(stderr, "%x", hash[i]);
++	}
++	fprintf(stderr, "\n");
++}
++
+ /* Return this IVT offset in the final output file */
+ int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load_addr)
+ {
+@@ -943,6 +1039,8 @@ int main(int argc, char **argv)
+ 	uimage_header_t uimage_hdr;
+ 	uint32_t version = ROM_V1;
+ 
++	uint8_t fit_hash[HASH_MAX_LEN];
++
+ 	static struct option long_options[] =
+ 	{
+ 		{"loader", required_argument, NULL, 'i'},
+@@ -1146,6 +1244,15 @@ int main(int argc, char **argv)
+ 		exit(1);
+ 	}
+ 
++	if (sld_img && using_fit) {
++		calc_fitimage_hash(sld_img, fit_hash);
++
++		/* Append hash to ap_img */
++		append_data(ap_img, fit_hash, HASH_MAX_LEN);
++
++		dump_fit_hash(fit_hash, HASH_MAX_LEN);
++	}
++
+ 	if (version == ROM_V2) {
+ 
+ 		/* On V2, flexspi IVT offset is 0, image offset is 0x1000 */
+@@ -1638,7 +1745,7 @@ int main(int argc, char **argv)
+ 	}
+ 
+ 	/* The FLEXSPI configuration parameters will add to flash.bin by script, so need add 0x1000 offset to every offset prints */
+-	if ((version == ROM_V2 && rom_image_offset == IVT_OFFSET_FLEXSPI) || 
++	if ((version == ROM_V2 && rom_image_offset == IVT_OFFSET_FLEXSPI) ||
+         (version == ROM_V1 && ivt_offset == IVT_OFFSET_FLEXSPI)) {
+ 		header_image_off += IVT_OFFSET_FLEXSPI;
+ 		dcd_off += IVT_OFFSET_FLEXSPI;
+diff --git a/iMX8M/soc.mak b/iMX8M/soc.mak
+index 0a69b71..5131891 100644
+--- a/iMX8M/soc.mak
++++ b/iMX8M/soc.mak
+@@ -100,8 +100,9 @@ u-boot-spl-ddr.bin: u-boot-spl.bin $(lpddr4_imem_1d) $(lpddr4_dmem_1d) $(lpddr4_
+ 	@objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(lpddr4_imem_1d) lpddr4_pmu_train_1d_imem_pad.bin
+ 	@objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(lpddr4_dmem_1d) lpddr4_pmu_train_1d_dmem_pad.bin
+ 	@objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(lpddr4_imem_2d) lpddr4_pmu_train_2d_imem_pad.bin
++	@objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(lpddr4_dmem_2d) lpddr4_pmu_train_2d_dmem_pad.bin
+ 	@cat lpddr4_pmu_train_1d_imem_pad.bin lpddr4_pmu_train_1d_dmem_pad.bin > lpddr4_pmu_train_1d_fw.bin
+-	@cat lpddr4_pmu_train_2d_imem_pad.bin $(lpddr4_dmem_2d) > lpddr4_pmu_train_2d_fw.bin
++	@cat lpddr4_pmu_train_2d_imem_pad.bin lpddr4_pmu_train_2d_dmem_pad.bin > lpddr4_pmu_train_2d_fw.bin
+ 	@dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync
+ 	@cat u-boot-spl-pad.bin lpddr4_pmu_train_1d_fw.bin lpddr4_pmu_train_2d_fw.bin > u-boot-spl-ddr.bin
+ 	@rm -f u-boot-spl-pad.bin lpddr4_pmu_train_1d_fw.bin lpddr4_pmu_train_2d_fw.bin lpddr4_pmu_train_1d_imem_pad.bin lpddr4_pmu_train_1d_dmem_pad.bin lpddr4_pmu_train_2d_imem_pad.bin
+@@ -115,8 +116,9 @@ u-boot-spl-ddr4.bin: u-boot-spl.bin $(ddr4_imem_1d) $(ddr4_dmem_1d) $(ddr4_imem_
+ 	@objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr4_imem_1d) ddr4_imem_1d_pad.bin
+ 	@objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr4_dmem_1d) ddr4_dmem_1d_pad.bin
+ 	@objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr4_imem_2d) ddr4_imem_2d_pad.bin
++	@objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr4_dmem_2d) ddr4_dmem_2d_pad.bin
+ 	@cat ddr4_imem_1d_pad.bin ddr4_dmem_1d_pad.bin > ddr4_1d_fw.bin
+-	@cat ddr4_imem_2d_pad.bin $(ddr4_dmem_2d) > ddr4_2d_fw.bin
++	@cat ddr4_imem_2d_pad.bin ddr4_dmem_2d_pad.bin > ddr4_2d_fw.bin
+ 	@dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync
+ 	@cat u-boot-spl-pad.bin ddr4_1d_fw.bin ddr4_2d_fw.bin > u-boot-spl-ddr4.bin
+ 	@rm -f u-boot-spl-pad.bin ddr4_1d_fw.bin ddr4_2d_fw.bin ddr4_imem_1d_pad.bin ddr4_dmem_1d_pad.bin ddr4_imem_2d_pad.bin
+@@ -126,10 +128,12 @@ ddr3_dmem_1d = ddr3_dmem_1d$(DDR_FW_VERSION).bin
+ 
+ u-boot-spl-ddr3l.bin: u-boot-spl.bin $(ddr3_imem_1d) $(ddr3_dmem_1d)
+ 	@objcopy -I binary -O binary --pad-to 0x8000 --gap-fill=0x0 $(ddr3_imem_1d) ddr3_imem_1d.bin_pad.bin
+-	@cat ddr3_imem_1d.bin_pad.bin $(ddr3_dmem_1d) > ddr3_pmu_train_fw.bin
++	@objcopy -I binary -O binary --pad-to 0x4000 --gap-fill=0x0 $(ddr3_dmem_1d) ddr3_dmem_1d.bin_pad.bin
++	@cat ddr3_imem_1d.bin_pad.bin ddr3_dmem_1d.bin_pad.bin > ddr3_pmu_train_fw.bin
++	@dd if=/dev/zero of=ddr3_fw_zero_pad.bin bs=1 count=49152 conv=sync
+ 	@dd if=u-boot-spl.bin of=u-boot-spl-pad.bin bs=4 conv=sync
+-	@cat u-boot-spl-pad.bin ddr3_pmu_train_fw.bin > u-boot-spl-ddr3l.bin
+-	@rm -f u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_imem_1d.bin_pad.bin
++	@cat u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_fw_zero_pad.bin > u-boot-spl-ddr3l.bin
++	@rm -f u-boot-spl-pad.bin ddr3_pmu_train_fw.bin ddr3_imem_1d.bin_pad.bin ddr3_fw_zero_pad.bin
+ 
+ u-boot-atf.bin: u-boot.bin bl31.bin
+ 	@cp bl31.bin u-boot-atf.bin
+-- 
+2.42.0
+
diff --git a/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch b/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch
new file mode 100644
index 0000000..77002af
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/files/0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch
@@ -0,0 +1,206 @@
+From d1ba709ee91d56f135c2fbaed666cd454243e155 Mon Sep 17 00:00:00 2001
+From: Ye Li <ye.li@nxp.com>
+Date: Thu, 27 Jul 2023 09:52:33 +0800
+Subject: [PATCH 3/3] LFU-573-2 imx8m: Reserve new IVT+CSF for FIT FDT
+ signature
+
+Without using FIT FDT hash, we also allow user to sign FIT FDT structure,
+so that FIT image can upgrade individually. The option needs
+CONFIG_IMX_SPL_FIT_FDT_SIGNATURE enabled in SPL.
+
+imx-mkimage will insert the new IVT for FIT FDT signature by default
+and reserve the CSF (0x2000) for the FIT FDT signature.
+
+Signed-off-by: Ye Li <ye.li@nxp.com>
+
+Upstream-Status: Backport [5a0faefc223e51e088433663b6e7d6fbce89bf59]
+
+Conflicts:
+        iMX8M/soc.mak
+	- meta-freescale patched to use mkimage
+	- upstream adds the posibility to use addtional dtbo, now dropped
+
+Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
+
+---
+ iMX8M/mkimage_imx8.c   | 42 +++++++++++++++++++++++++++++++++++++++++-
+ iMX8M/print_fit_hab.sh |  4 ++--
+ iMX8M/soc.mak          | 17 +++++++++--------
+ 3 files changed, 52 insertions(+), 11 deletions(-)
+
+diff --git a/iMX8M/mkimage_imx8.c b/iMX8M/mkimage_imx8.c
+index 68022d6..f37a2f6 100644
+--- a/iMX8M/mkimage_imx8.c
++++ b/iMX8M/mkimage_imx8.c
+@@ -999,7 +999,7 @@ int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load
+ 	}
+ 
+ 	/* ep is the u-boot entry. SPL loads the FIT before the u-boot address. 0x2000 is for CSF_SIZE */
+-	load_addr = (ep - (fit_size + CSF_SIZE) - 512 -
++	load_addr = (ep - (fit_size + 2 * CSF_SIZE) - 512 -
+ 			align_len) & ~align_len;
+ 
+ 	flash_header_v2_t ivt_header = { { 0xd1, 0x2000, 0x40 },
+@@ -1013,6 +1013,24 @@ int generate_ivt_for_fit(int fd, int fit_offset, uint32_t ep, uint32_t *fit_load
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	ret = lseek(fd, fit_offset + fit_size + CSF_SIZE, SEEK_SET);
++	if (ret < 0) {
++		fprintf(stderr, "%s: lseek error %s\n",
++				__func__, strerror(errno));
++		exit(EXIT_FAILURE);
++	}
++
++	flash_header_v2_t fdt_ivt_header = { { 0xd1, 0x2000, 0x40 },
++		load_addr, 0, 0, 0,
++		(load_addr + fit_size + CSF_SIZE ),
++		(load_addr + fit_size + CSF_SIZE + 0x20),
++		0 };
++
++	if (write(fd, &fdt_ivt_header, sizeof(flash_header_v2_t)) != sizeof(flash_header_v2_t)) {
++		fprintf(stderr, "FIT FDT IVT writing error on fit image\n");
++		exit(EXIT_FAILURE);
++	}
++
+ 	*fit_load_addr = load_addr;
+ 
+ 	return fit_offset + fit_size;
+@@ -1229,6 +1247,11 @@ int main(int argc, char **argv)
+ 		fprintf(stderr, " fit hab block: \t0x%x 0x%x 0x%x\n",
+ 			sld_load_addr, sld_src_off, sld_csf_off - sld_src_off);
+ 
++		fprintf(stderr, " fit-fdt_csf_off \t0x%x\n",
++			sld_csf_off + CSF_SIZE);
++		fprintf(stderr, " fit-fdt hab block: \t0x%x 0x%x 0x%x\n",
++			sld_load_addr, sld_src_off, sld_csf_off + CSF_SIZE - sld_src_off);
++
+ 		exit(0);
+ 	}
+ 
+@@ -1777,6 +1800,23 @@ int main(int argc, char **argv)
+ 	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n",
+ 		sld_load_addr, sld_header_off, sld_csf_off - sld_header_off);
+ 
++	fprintf(stderr, " fit-fdt csf_off \t0x%x\n",
++		sld_csf_off + CSF_SIZE);
++	fprintf(stderr, " fit-fdt hab block: \t0x%x 0x%x 0x%x\n",
++		sld_load_addr, sld_header_off, sld_csf_off + CSF_SIZE - sld_header_off);
++
++//	fprintf(stderr, "SPL CSF block:\n");
++//	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n",
++//		imx_header[IMAGE_IVT_ID].fhdr.self, header_image_off, csf_off - header_image_off);
++
++//	fprintf(stderr, "SLD CSF block:\n");
++//	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\",\\\n",
++//		sld_load_addr, sld_header_off, sld_csf_off - sld_header_off);
++
++	fprintf(stderr, "SLD FIT-FDT CSF block:\n");
++	fprintf(stderr, "\tBlocks = \t0x%x 0x%x 0x%x \"flash.bin\"\n",
++		sld_load_addr, sld_header_off, sld_csf_off + CSF_SIZE - sld_header_off);
++
+ 	return 0;
+ }
+ 
+diff --git a/iMX8M/print_fit_hab.sh b/iMX8M/print_fit_hab.sh
+index 6f1a22d..d1e344a 100755
+--- a/iMX8M/print_fit_hab.sh
++++ b/iMX8M/print_fit_hab.sh
+@@ -24,10 +24,10 @@ fi
+ 
+ if [ "$BOOT_DEV" = "flexspi" ] || [ ${fit_off} == 0 ]; then
+ 	# We dd flash.bin to 0 offset for flexspi
+-	let uboot_sign_off=$((fit_off + 0x3000))
++	let uboot_sign_off=$((fit_off + $FIT_DATA_POS))
+ else
+ 	# We dd flash.bin to 33KB "0x8400" offset, so need minus 0x8400
+-	let uboot_sign_off=$((fit_off - 0x8000 - ivt_off + 0x3000))
++	let uboot_sign_off=$((fit_off - 0x8000 - ivt_off + $FIT_DATA_POS))
+ fi
+ 
+ let uboot_size=$(stat --printf="%s" $BL33)
+diff --git a/iMX8M/soc.mak b/iMX8M/soc.mak
+index 5131891..945183e 100644
+--- a/iMX8M/soc.mak
++++ b/iMX8M/soc.mak
+@@ -83,6 +83,7 @@ VERSION = v1
+ CAPSULE_GUID = 296119cf-dd70-43de-8ac8-a7051f312577
+ endif
+ 
++FIT_EXTERNAL_POSITION = 0x5000
+ 
+ FW_DIR = imx-boot/imx-boot-tools/$(PLAT)
+ 
+@@ -157,7 +158,7 @@ u-boot.itb: $(dtb)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb)
+ 	BL32=$(TEE) DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb) > u-boot.its
+-	mkimage -E -p 0x3000 -f u-boot.its u-boot.itb
++	mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot.its u-boot.itb
+ 	@rm -f u-boot.its $(dtb)
+ 
+ dtb_ddr3l = valddr3l.dtb
+@@ -169,7 +170,7 @@ u-boot-ddr3l.itb: $(dtb_ddr3l)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr3l)
+ 	DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr3l) > u-boot-ddr3l.its
+-	mkimage -E -p 0x3000 -f u-boot-ddr3l.its u-boot-ddr3l.itb
++	mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr3l.its u-boot-ddr3l.itb
+ 	@rm -f u-boot.its $(dtb_ddr3l)
+ 
+ dtb_ddr3l_evk = evkddr3l.dtb
+@@ -181,7 +182,7 @@ u-boot-ddr3l-evk.itb: $(dtb_ddr3l_evk)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr3l_evk)
+ 	DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr3l_evk) > u-boot-ddr3l-evk.its
+-	mkimage -E -p 0x3000 -f u-boot-ddr3l-evk.its u-boot-ddr3l-evk.itb
++	mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr3l-evk.its u-boot-ddr3l-evk.itb
+ 	@rm -f u-boot.its $(dtb_ddr3l_evk)
+ 
+ dtb_ddr4 = valddr4.dtb
+@@ -193,7 +194,7 @@ u-boot-ddr4.itb: $(dtb_ddr4)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4)
+ 	DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr4) > u-boot-ddr4.its
+-	mkimage -E -p 0x3000 -f u-boot-ddr4.its u-boot-ddr4.itb
++	mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr4.its u-boot-ddr4.itb
+ 	@rm -f u-boot.its $(dtb_ddr4)
+ 
+ dtb_ddr4_evk = evkddr4.dtb
+@@ -205,7 +206,7 @@ u-boot-ddr4-evk.itb: $(dtb_ddr4_evk)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4_evk)
+ 	DEK_BLOB_LOAD_ADDR=$(DEK_BLOB_LOAD_ADDR) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) ../$(SOC_DIR)/mkimage_fit_atf.sh $(dtb_ddr4_evk) > u-boot-ddr4-evk.its
+-	mkimage -E -p 0x3000 -f u-boot-ddr4-evk.its u-boot-ddr4-evk.itb
++	mkimage -E -p $(FIT_EXTERNAL_POSITION) -f u-boot-ddr4-evk.its u-boot-ddr4-evk.itb
+ 	@rm -f u-boot.its $(dtb_ddr4_evk)
+ 
+ ifeq ($(HDMI),yes)
+@@ -325,21 +326,21 @@ print_fit_hab: u-boot-nodtb.bin bl31.bin $(dtb)
+ 	./$(PAD_IMAGE) $(TEE)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb)
+-	TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb)
++	FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb)
+ 	@rm -f $(dtb)
+ 
+ print_fit_hab_ddr4: u-boot-nodtb.bin bl31.bin $(dtb_ddr4_evk)
+ 	./$(PAD_IMAGE) $(TEE)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb_ddr4_evk)
+-	TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb_ddr4_evk)
++	FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb_ddr4_evk)
+ 	@rm -f $(dtb_ddr4_evk)
+ 
+ print_fit_hab_flexspi: u-boot-nodtb.bin bl31.bin $(dtb)
+ 	./$(PAD_IMAGE) $(TEE)
+ 	./$(PAD_IMAGE) bl31.bin
+ 	./$(PAD_IMAGE) u-boot-nodtb.bin $(dtb)
+-	TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) BOOT_DEV="flexspi" ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb)
++	FIT_DATA_POS=$(FIT_EXTERNAL_POSITION) TEE_LOAD_ADDR=$(TEE_LOAD_ADDR) ATF_LOAD_ADDR=$(ATF_LOAD_ADDR) VERSION=$(VERSION) BOOT_DEV="flexspi" ../$(SOC_DIR)/print_fit_hab.sh $(PRINT_FIT_HAB_OFFSET) $(dtb)
+ 	@rm -f $(dtb)
+ 
+ nightly :
+-- 
+2.42.0
+
diff --git a/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
new file mode 100644
index 0000000..2e2139a
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
@@ -0,0 +1 @@
+require imx-mkimage-patches.inc
+\ No newline at end of file
diff --git a/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc b/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc
new file mode 100644
index 0000000..b05a1ad
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/imx-mkimage-patches.inc
@@ -0,0 +1,9 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files/:"
+
+# additional patches addressing U-Boot secure boot SPL Authentication Vulnerability (CVE-2023-39902)
+# (plus patches LFU-573* in downstream U-Boot)
+SRC_URI:append = " \
+    file://0001-LFOPTEE-126-Add-spl-and-sld-Blocks-info.patch \
+    file://0002-LFU-573-1-imx8m-Generate-hash-of-FIT-FDT-structure-t.patch\
+    file://0003-LFU-573-2-imx8m-Reserve-new-IVT-CSF-for-FIT-FDT-sign.patch \
+"
diff --git a/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend b/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend
new file mode 100644
index 0000000..2e2139a
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend
@@ -0,0 +1 @@
+require imx-mkimage-patches.inc
+\ No newline at end of file
author	Max Krummenacher <max.krummenacher@toradex.com>	2023-12-13 16:19:37 +0100
committer	Max Krummenacher <max.krummenacher@toradex.com>	2023-12-20 16:47:43 +0000
commit	5e45485bdd561b3b1b46b3550447e2e4c5e53761 (patch)
tree	b6bc50afa1980433a9e14f1b03278bb8ea10883d
parent	89ee719c06f69a28d8b6c2af5cacf6bd946878b7 (diff)